JWT Vulnerability Analyzer
Decode JWT tokens and scan for security vulnerabilities — algorithm attacks, missing claims, expiration issues
Paste a JWT above to decode it and check for common security vulnerabilities. All analysis runs locally in your browser — your token never leaves this page.
You received a JWT token from an API and need to inspect its claims and check for common security misconfigurations. This tool decodes the header, payload, and signature, then runs vulnerability checks — all in your browser.
Vulnerability Checks
The analyzer tests for these known JWT security issues:
- Algorithm “none” attack (Critical) — The header specifies
"alg": "none", meaning the token has no signature. An attacker can forge any claims. - Weak algorithm (High) — Using HMAC (HS256) when RSA (RS256) is expected enables key confusion attacks where the RSA public key is used as the HMAC secret.
- Missing expiration (High) — No
expclaim means the token never expires. A leaked token grants permanent access. - Expired token (Medium) — The
exptimestamp is in the past. - Excessive lifetime (Medium) — Expiration is more than 30 days from the issued-at time.
- Missing issued-at (Low) — No
iatclaim makes it harder to determine token age. - Missing audience (Low) — No
audclaim means the token doesn’t restrict which services can accept it. - Empty subject (Medium) — The
subclaim is present but empty.
JWT Structure
A JWT has three Base64url-encoded parts separated by dots:
- Header: Algorithm and token type (
{"alg": "RS256", "typ": "JWT"}) - Payload: Claims (data) like
sub,exp,iat,iss,aud, and custom fields - Signature: Cryptographic signature over the header and payload
Frequently Asked Questions
Is it safe to paste JWTs into this tool? Yes. This tool runs entirely in your browser. No data is sent to any server. JWTs often contain sensitive user information — using a server-side decoder exposes that data.
Can this tool verify the signature? This tool decodes and analyzes the token structure. Signature verification requires the signing key (secret or public key), which is not available to this client-side tool.
What is the security score? A 0-100 score based on the number and severity of issues found. 100 means no vulnerabilities detected in the token structure. The score does not assess the signing key strength.